Deploying FortiClient software to endpoints

Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.

You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences between using AD servers and workgroups.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS is installed on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient is installed on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.

The image below shows a deployment of FortiClient using FortiClient EMS with an AD server:

Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.

The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

The image below shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:

You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to install FortiClient on endpoints. See Viewing deployment packages.

The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct on the profile's Deployment tab in FortiClient EMS. You can only use workgroups to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups for initial installations of FortiClient. When using workgroups, the credentials on the Deployment tab in FortiClient EMS are not taken into account.

After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next Telemetry communication. FortiClient is installed on endpoints, and FortiClient connects Telemetry to FortiClient EMS.

Deploying FortiClient software to endpoints

Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.

You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences between using AD servers and workgroups.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS is installed on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient is installed on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.

The image below shows a deployment of FortiClient using FortiClient EMS with an AD server:

Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.

The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

The image below shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:

You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to install FortiClient on endpoints. See Viewing deployment packages.

The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct on the profile's Deployment tab in FortiClient EMS. You can only use workgroups to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups for initial installations of FortiClient. When using workgroups, the credentials on the Deployment tab in FortiClient EMS are not taken into account.

After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next Telemetry communication. FortiClient is installed on endpoints, and FortiClient connects Telemetry to FortiClient EMS.